New Uyghur and Tibetan Themed Attacks Using PDF Exploits

On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware “ItaDuke” because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri’s “Divine Comedy”.

Previously, we posted about another campaign hitting Governments and other institutions, named Miniduke, which was also using the same “Divine Comedy” PDF exploits.

In the meantime, we’ve come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists.

Together with our partner at AlienVault Labs, we analyzed these new exploits. For their blog, which includes Yara rules and industry standard IOC’s, please read [here]. For our analysis, please read below.

The new attacks

A few days ago, we observed several PDF files which carry the CVE-2013-0640/641 (ItaDuke) exploits. Some of the MD5s and filenames include:

The Kaspersky detection name for these exploits is Exploit.JS.Pdfka.gjc.

If the exploit is successful, the PDFs show a clean, “lure” document to the user:

The first document (2013-Yilliq Noruz Bayram Merik isige Teklip.pdf) refers to a New Years party invitation. The second one, “arp.pdf”, is an authorization to request a reimbursement, for a Tibetan activist group.

The Javascript exploit code has a large comment block prepended, which was probably included to avoid detection by certain anti-malware programs.

The comment block and the exploit is exactly the same among all analyzed PDF files. Interestingly, the “sHOGG” string obfuscation function from Itaduke has been removed. In addition, some of the obfuscation for variable initialization has been removed as well:

All documents drop the same malware, detected by Kaspersky as Trojan.Win32.Agent.hwoo and Trojan.Win32.Agent.hwop, which is interesting: this is one of the rare cases when the same threat actor hits both Tibet and Uyghur activists at exactly the same time. It is possible this was done in regards to a human rights conference which is taking place in Geneva between 11-13 March, 2013.

“AcroRd32.exe” contains an encrypted block with the final payload, an 8KB backdoor, which is dropped as “clbcatq.dll” and run via Windows Update. The block can be easily noticed inside the backdoor by a trained eye:

The block is encrypted with a simple xor + add algorithm. Here’s the decryption algorithm for the final payload:

char key[]=”0l23kj@nboxu”;

a=key[i&7] + 6;
buf[i]=(buf[i]^a) + a;

The final backdoor (clbcatq.dll) is 9728 bytes in size. It was compiled on “Wed Jul 11 05:39:39 2012”. The backdoor connects to its C&C server and requests further data using HTTP GET requests. The response from the server is expected to be a slightly encrypted DLL, which is then loaded and called by exports “InfectFile” and “GetWorkType”.

For all the servers, the malware makes a request to “/news/show.asp”, using a custom agent string of “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”.

At the moment, all the domains point to the same IP address: 60.211.253.28. The server is located in China, in Shandong province:

The domains “micrsofts.com” and “hotmal1.com” appear to have been registered by the same person, although with very small differences in the registration data:

Stage 2

The command and control server will reply with a 300K backdoor, which is sent in encrypted form. Here’s how it looks as sent by server:

The encryption is a sub 0x11 followed by a xor 0x11. Once decrypted, we get the malware dropper, which was compiled on “Wed Jul 11 06:52:48 2012”. This “stage 2” malware dropper is heuristically detected by Kaspersky products as HEUR:Trojan.Win32.Generic.

Conclusions

The threat actors behind these attacks are very active and continuously use new methods and new exploits to attack their victims. We have previously seen the use of CVE-2013-0158 or CVE-2010-3333, in addition to exploits for Mac OS X, taking advantage of CVE-2009-0563.

The PDF exploit originally discovered by FireEye is the first known exploit capable of bypassing the Adobe Reader X sandbox. Due to this advanced capability, it is extremely valuable to any attacker. Although it was probably developed for (or by) use of a nation state originally, we now see it being copied and reused by other threat actors. This is becoming a common procedure nowadays and we can expect more such piggybacking or exploit stealing in the future.

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.